Jumping to OSINT Conclusions

We all have done it. We find a Tweet, an IP address, or some other piece of information during an investigation, and we gleefully toss it into our report thinking we have the smoking gun or some killer argument that will win the day. Or, we use definitive language like we know for certain what a single piece of information means.

I have had a more senior investigator shred my own reports for using definitive language in a pure OSINT investigation.

Rightfully so.

I spend a lot of time combing through news articles and court cases looking at how social media or other forms of OSINT are turning up in cases and I spotted one the other day that I thought was interesting.

WARNING: This is a sexual interference case, and contains information that might be upsetting or offensive. Don’t read the entirety of the case if it bothers you; I’ll snip out the relevant pieces. As with other legal case pieces I write about, this is not a criticism of the defense, prosecution or law enforcement. I’m not a lawyer. You’ve been warned.

The Background

In this particular case, it is a 53-year old accused with a 14-year old complainant. There are a lot of interesting tidbits on apps used, such as Grindr, which might be worth reading about.

What caught my eye was the defense counsel raising the fact that the complainant had Tweeted four days after the alleged incident took place:

[27] At various times, the complainant described the alleged events with Mr. Angel as being highly traumatic. On July 10, 2016, four days after the alleged events, however, the complainant acknowledged having tweeted, “I am so happy right now”, followed by four smiley faces.

This was interesting to me right away, as I could see how an eager private investigator or someone working on behalf of the defense counsel would use this as an opportunity to say that it couldn’t have been very traumatic if they were Tweeting this statement four days after the alleged offense.

They try to hammer this point home again later on (Angel is the accused):

[61] Mr. Angel submits that the complainant was not a reliable witness. Mr. Angel notes that the complainant often answered that he did not recall or did not know, including at very important junctures such as when he was asked about the disabling of his Grindr account, and whether or not Mr. Angel was circumcised. Mr. Angel submits that it is hard to reconcile the complainant’s description of the events at issue with his July 10, 2016 tweet that “I am so happy right now” followed by four smiley faces.

Now, where the cautionary tale for OSINT folks comes into play is where the judge says the following:

[87] Regarding the complainant’s July 10, 2016 tweet about being “so happy”, I am not prepared to engage in stereotypical thinking that this tweet cannot be reconciled with the complainant’s description of a highly traumatic event. It often takes time for young victims of sexual exploitation to fully process their feelings, particularly when they may perceive themselves to have been willing participants. It is also not uncommon for victims of sexual abuse to put on a happy face to mask their true inner feelings. In this case, I lack sufficient context to draw any adverse conclusion from the complainant’s tweet.

Right. This really drove a point home for me when I read this. Just because we (the investigators) feel that something is important, does not mean our intended audience will feel the same way. Clearly the judge did not agree with the assertion put forward regarding the Tweet in question.

Some Thoughts

Too often we are taking data, drawing inferences from it, reporting on it and then not corroborating or even testing the validity of the information. This is covered by Micah Hoffman as well, in his excellent post on The 5 Biggest Mistakes During an OSINT Investigation.

I absolutely think that the defense should have been doing social media research, and I wouldn’t even argue that the Tweet should be not have been raised. I am not a legal strategist. Most lawyers are going to first weigh the pros and cons of every statement or piece of evidence before submitting it before the court.

They’ll make a risk calculation carefully before using or discarding that information.

But are we doing this in our investigations?

We really should be, especially before putting pen to paper.

Some Tips

It is always tough to determine what information to include in a deliverable before it is sent out. You don’t want to overload the client with information but we don’t want to leave out potentially relevant information either.

Here are some tips in general that I have found useful before, during and after an investigation:

Before you start, make sure you fully understand what your client (internal/external/the public) is using your report for, what their objectives are, and fully understand the scope of the materials they expect to receive (as much data as possible vs. only data that fits certain criteria).

Document everything you do. Use Hunchly. If you miss something in your report, you can always go back through your case, review the data you captured and amend the report if required.

Get a third party investigative review of your report. A fellow OSINT-slinger is ideal; they can spot gaps in analysis, areas where you could have fleshed out additional context or they can point out additional techniques that could assist in your case.

Get a third party non-investigative review of your report. These eyeballs will be more in line with your audience, the consumer of your report. It will identify language issues, question any statements you make, or raise issues where you are using technical language that is difficult to understand. Fix it, send it back. Rinse, wash, repeat.

Before you ship: question everything. Even if you feel a Tweet is relevant, it is a good idea to think about arguments and counter-arguments. You are likely not a doctor, lawyer, or psychologist so don’t pretend to be one. Instead, give your audience viewpoints on the data that can help better inform them and try to think of how any of your findings could be challenged.

Stay tuned for any other additional cases that we find interesting. If you know of a case in your country that you found interesting, please send it to us: justin@hunch.ly

If you haven’t taken Hunchly for a spin yet, grab a free 15-day trial here.